DB2 10.5 for Linux, UNIX, and Windows

Audit record layout for AUDIT events

The following table shows the layout of the audit record for AUDIT events.

Sample audit record: 
timestamp=2007-04-10-08.29.52.000001;
category=AUDIT;
audit event=START;
event correlator=0;
event status=0;
userid=newton;
authid=NEWTON;
application id=*LOCAL_APPLICATION;
application name=db2audit.exe;
Table 1. Audit Record Layout for AUDIT Events
NAME FORMAT DESCRIPTION
Timestamp CHAR(26) Date and time of the audit event.
Category CHAR(8) Category of audit event. Possible values are:

   AUDIT
Audit Event VARCHAR(32) Specific Audit Event.

For a list of possible values, refer to the section for the AUDIT category in Audit events.
Event Correlator INTEGER Correlation identifier for the operation being audited. Can be used to identify what audit records are associated with a single event.
Event Status INTEGER Status of audit event, represented by an SQLCODE where

   Successful event > = 0
   Failed event < 0
User ID VARCHAR(1024) User ID at time of audit event.
Authorization ID VARCHAR(128) Authorization ID at time of audit event.
Database Name CHAR(8) Name of the database for which the event was generated. Blank if this was an instance level audit event.
Origin Node Number SMALLINT Member number at which the audit event occurred.
Coordinator Node Number SMALLINT Member number of the coordinator member.
Application ID VARCHAR(255) Application ID in use at the time the audit event occurred.
Application Name VARCHAR(1024) Application name in use at the time the audit event occurred.
Package Schema VARCHAR(128) Schema of the package in use at the time of the audit event.
Package Name VARCHAR(128) Name of package in use at the time the audit event occurred.
Package Section SMALLINT Section number in package being used at the time the audit event occurred
Package Version VARCHAR(64) Version of the package in use at the time the audit event occurred.
Local Transaction ID VARCHAR(10) FOR BIT DATA The local transaction ID in use at the time the audit event occurred. This is the SQLU_TID structure that is part of the transaction logs.
Global Transaction ID VARCHAR(30) FOR BIT DATA The global transaction ID in use at the time the audit event occurred. This is the data field in the SQLP_GXID structure that is part of the transaction logs.
Client User ID VARCHAR(255) The value of the CURRENT CLIENT USERID special register at the time the audit event occurred.
Client Workstation Name VARCHAR(255) The value of the CURRENT CLIENT_WRKSTNNAME special register at the time the audit event occurred.
Client Application Name VARCHAR(255) The value of the CURRENT CLIENT_APPLNAME special register at the time the audit event occurred.
Client Accounting String VARCHAR(255) The value of the CURRENT CLIENT_ACCTNG special register at the time the audit event occurred.

Trusted Context Name

VARCHAR(255)

The name of the trusted context associated with the trusted connection.

Connection Trust Type

CHAR(1)

Possible values are:

'' - NONE
'1' - IMPLICIT_TRUSTED_CONNECTION
'2' - EXPLICIT_TRUSTED_CONNECTION  

Role Inherited

VARCHAR(128)

The role inherited through a trusted connection.
Policy Name VARCHAR(128) The audit policy name.
Policy Association Object Type CHAR(1) The type of the object that the audit policy is associated with. Possible values include:
  • N = Nickname
  • S = MQT
  • T = Table (untyped)
  • i = Authorization ID
  • g= Authority
  • x = Trusted context
  • blank = Database
Policy Association Subobject Type CHAR(1) The type of sub-object that the audit policy is associated with. If the Object Type is ? (authorization id), then possible values are:
  • U = User
  • G = Group
  • R = Role
Policy Association Object Name VARCHAR(128) The name of the object that the audit policy is associated with.
Policy Association Object Schema VARCHAR(128) The schema name of the object that the audit policy is associated with. This is NULL if the Policy Association Object Type identifies an object to which a schema does not apply.
Audit Status CHAR(1) The status of the AUDIT category in an audit policy. Possible values are:
  • B-Both
  • F-Failure
  • N-None
  • S-Success
Checking Status CHAR(1) The status of the CHECKING category in an audit policy. Possible values are:
  • B-Both
  • F-Failure
  • N-None
  • S-Success
Context Status CHAR(1) The status of the CONTEXT category in an audit policy. Possible values are:
  • B-Both
  • F-Failure
  • N-None
  • S-Success
Execute Status CHAR(1) The status of the EXECUTE category in an audit policy. Possible values are:
  • B-Both
  • F-Failure
  • N-None
  • S-Success
Execute With Data CHAR(1) The WITH DATA option of the EXECUTE category in the audit policy. Possible values are:
  • Y-WITH DATA
  • N-WITHOUT DATA
Objmaint Status CHAR(1) The status of the OBJMAINT category in an audit policy. Possible values are:
  • B-Both
  • F-Failure
  • N-None
  • S-Success
Secmaint Status CHAR(1) The status of the SECMAINT category in an audit policy. See Audit Status field for possible values.
Sysadmin Status CHAR(1) The status of the SYSADMIN category in an audit policy. Possible values are:
  • B-Both
  • F-Failure
  • N-None
  • S-Success
Validate Status CHAR(1) The status of the VALIDATE category in an audit policy. Possible values are:
  • B-Both
  • F-Failure
  • N-None
  • S-Success
Error Type CHAR(8) The error type in an audit policy. Possible values are: AUDIT and NORMAL.
Data Path VARCHAR(1024) The path to the active audit logs specified on the db2audit configure command.
Archive Path VARCHAR(1024) The path to the archived audit logs specified on the db2audit configure command
Original User ID VARCHAR(1024) The value of the CLIENT_ORIGUSERID global variable at the time the audit event occurred.